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DETAILED ACTION 

Claims 1-43 are pending. 

This Office Action is in response to Appeal Brief filed 09/17/2008. 

Below, Examiner has pointed out particular references contained in the prior 
art(s) of record in the body of this action for the convenience of the applicant. Although 
the specified citations are representative of the teachings in the art and are applied to 
the specific limitations within the individual claims, other passages and figures may 
apply as well. Applicant should consider the entire prior art as applicable as to the 
limitations of the claims. It is respectfully requested from the applicant, in preparing the 
response, to consider fully each reference in its entirety as potentially teaching all or 
part of the claimed invention, as well as the context of the passage as taught by the 
prior arts or disclosed by the examiner. 

Response to Arguments 

Applicant's arguments, see Appeal Brief, filed 09/17/2008, with respect to the 
rejection(s) of claim(s) 1-43 under 35 USC 103 have been fully considered and are 
persuasive. Therefore, the rejection has been withdrawn. However, upon further 
consideration, a new ground(s) of rejection is made in view of Adolph. 



Claim Rejections - 35 USC §112 

The rejection of Claims 1-28 and 43 under 35 USC 112 is withdrawn. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

1. Claims 1-6, 8, 9, 14-18, 20, 21, 23, 29-35, 38, 41-43 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Andersen (US 6,122,740), hereafter 
"Andersen," in view of Alexander Shipp (GB 2 367 714), hereafter "Shipp" in view of 
Adolph (US 6,356,836), hereafter "Adolf. 

Considering Claims 1 and 43, Andersen discloses during a first time interval 
(column 8- lines 64-68, column 9- line 1) comparing (a) identities of destination hosts 
identified in requests to send data from the first host and (b) identities of destination 
hosts identified in the record (column 6- lines 56-59); automatically transmitting all 
requests to send data regardless of a result of said comparing (column 5- lines 51-54, 
see Response to Arguments). 

Anderson does not explicitly disclose a method of monitoring propagation of viruses 
within a network of hosts comprising the steps of storing in a buffer data relating to 
requests which identify a destination host not in the record. 

Shipp discloses a method of monitoring propagation of viruses within a network of hosts 
(abstract- lines 1-3), comprising the steps of: storing in a buffer data relating to requests 
which identify a destination host not in the record (p. 12- lines 3-5, once the criterion for 
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an infected message has been found (i.e. a host not in the record), holding the request 
in a temporary storage, Andersen- column 5- lines 19-23, the record). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the teachings of Anderson by storing in a buffer 
data relating to requests which identify a destination host as taught by Shipp in order to 
identify patterns characteristic of a virus outbreak and take corrective action (Shipp- 
abstract). 

The combination does not explicitly disclose establishing a record which is at least 
indicative of identities of hosts within the network to whom data has been sent by a first 
host ("destination hosts"). 

Adolph discloses establishing a record which is at least indicative of identities of hosts 
within the network to whom data has been sent by a first host ("destination hosts") 
(column 1- lines 40-64). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination of Andersen and Shipp by 
establishing a record which is at least indicative of identities of hosts within the network 
to whom data has been sent by a first host ("destination hosts") as taught by Adolph in 
order to update data for use in a destination tracking system (Adolph- column 1- lines 6- 
11). 

Considering Claims 29 and 41, and 42, Andersen discloses a method of 
operating a first host within a network of a plurality of hosts comprising the steps of (Fig. 
1 ): over the course of a first time interval (column 8- lines 64-68, column 9- line 1 ); 
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comparing identities of destination hosts monitored during the first time interval with 
destination host identities in a record (column 6- lines 56-59); 
Andersen does not explicitly disclose storing data from all sockets which identify 
destination hosts not in the record. 

Shipp does explicitly disclose storing data from all sockets which identify destination 
hosts not in the record (p. 12- lines 3-5, once the criterion for an infected message has 
been found, i.e. a host not in the record, holding the request in a temporary storage, 
Andersen- column 5- lines 19-23, the record). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the teachings of Andersen by storing data from 
all sockets which identify data not in the record as taught by Shipp in order to identify 
patterns characteristic of a virus outbreak and take corrective action. 
The combination does not explicitly disclose monitoring creation of sockets within the 
first host to identify destination hosts identified therein 
Adolph discloses monitoring creation of sockets within the first host to identify 
destination hosts identified therein (column 1- lines 40-64). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination of Andersen and Shipp by 
establishing a record which is at least indicative of identities of hosts within the network 
to whom data has been sent by a first host ("destination hosts") as taught by Adolph in 
order to update data for use in a destination tracking system (Adolph- column 1- lines 6- 
11). 
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Considering Claim 2 and 32, the combination of Andersen and Shipp discloses 
the record is established by monitoring identities of destination hosts to whom requests 
have been transmitted during a second time interval, which precedes the first time 
interval (Andersen- column 6- lines 3-13). 

Considering Claims 3 and 31, the combination discloses the record contains a 
predetermined maximum number of destination host identities, the maximum number 
being defined in accordance with a policy (Shipp- p. 11- lines 22-24 and 29, p. 13- line 
15 and 36-37). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combinatation for the benefit of creating a 
maximum threshold that once exceeded, will result in the flagging of a potential virus 
(Shipp- p. 13- lines 36-37). 

Considering Claim 4 and 33, the combination discloses the policy additionally 
defines a maximum number of destination host identities not in the record, to whom 
requests may be legitimately transmitted in accordance with policy (Shipp- p.1 1- lines 
22-29, Andersen- column 5- lines 51-54). 

Considering Claim 5 and 34, the combination discloses the step, at the end of 
any given time interval, of deleting from the buffer data relating to requests transmitted 
during the given time interval in accordance with policy (Shipp- p. 12- lines 3-5). 

Considering Claim 6, the combination discloses the step, at the end of the given 
time interval, of updating the record to reflect identities of hosts identified in requests 
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which are transmitted in accordance with policy during the given time interval 
(Andersen- column 8- lines 56-68, column 9- line 1). 

Considering Claim 8, the combination discloses the stored data is offered in a 
buffer and includes a copy of a socket created to send data in accordance with a 
request (Andersen- column 4- lines 63-68, column 5- lines 1-8). 

Considering Claims 9 and 30, the combination discloses the socket enables 
identification of at least one application program at whose behest the socket is created 
(Andersen- column 5- lines 27-34). 

Considering Claims 14 and 28, the combination discloses said time periods are 
of equal duration to at least one of said time intervals (Shipp- p. 1 1 - line 26, p. 1 3- line 
1)- 

Considering Claim 15, the combination discloses the step of monitoring the rate 
of increase in the size of the buffer, and in the event that the rate of increase in the size 
of the buffer exceeds a predetermined rate, generating a warning (Shipp- p. 13). 

Considering Claim 16, the combination discloses monitoring the increase in the 
size of the buffer per time interval, and in the event that the increase in the size of the 
buffer in any given time interval exceeds the predetermined size, generating a warning 
(Shipp- p. 11- lines 22-39, p. 13). 

Considering Claim 17, the combination discloses the step of monitoring the size 
of the buffer, and in the event that the buffer exceeds a predetermined size for a 
predetermined number of successive time intervals, generating a warning (Shipp- p. 11- 
lines 22-39, p. 13). 
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Considering Claim 18, the combination discloses at least one parameter 
selected from the group consisting of: number of destination hosts in the record; 
threshold number of requests identifying destination hosts not in the record and defining 
a state of viral infection, is varied with time (Shipp- p. 11- lines 22-39, p. 13). 

Considering Claim 20, the combination discloses at least one of the parameters 
is varied in response to a perceived threat level (Shipp- p. 1 1- lines 22-39, p. 13). 

Considering Claim 21, the combination discloses at least one of the parameters 
is changed between a first set of values and a second set of values at a predetermined 
rate (Shipp- p. 1 1 - lines 22-39, p. 1 3). 

Considering Claim 23, the combination discloses at least one parameter 
selected from the group consisting of: number of destination hosts in the record; 
threshold number of requests identifying destination hosts not in the record and defining 
a state of viral infection, is determined by performing an automated search on a set of 
data indicative of normal network traffic (Shipp- p. 1 1- lines 22-39, p. 13). 

Considering Claims 35 and 38, the combination discloses the step, in the event 
that the number of socket data items stored exceeds a predetermined value, of storing 
outgoing packets from the first host (Andersen- column 4- lines 64-67, column 5- lines 
1-8, Shipp- p.12- 2-5, p.13). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination by using the socket data from 
Andersen as a parameter for Shipp to determine if the threshold has been reached. 
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This would provide the benefit of not only being able to track emails, but allowing the 
monitoring of the port data itself. 

2. Claim 7 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Andersen, Shipp, and Adolph in view of Maher, III et al. (US 7,058,974), hereafter 
"Maher." 

Considering Claim 7, the combination of Andersen and Shipp does not explicitly 
disclose the step of updating the record to reflect the identity of the predetermined 
maximum number of destination host identities to whom data has most recently been 
sent in accordance with policy. 

Maher does explicitly disclose the step of updating the record to reflect the identity of 
the predetermined maximum number of destination host identities to whom data has 
most recently been sent in accordance with policy (column 7- lines 16-26, the state 
awareness of the traffic flow is taken to be the most recently sent hosts). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination by updating the record to 
include the most recent destination hosts as taught by Maher for the benefit of keeping 
an up to date list of recent session ids to ensurte that the proper linked list information is 
retrieved (Maher- lines 41-51). 

3. Claims 10-13, 24-27 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Andersen, Shipp, and Adolph in view of Ramanujan (US 
5,341,491), hereafter "Ramanujan." 
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Considering Claims 10 and 12, the combination discloses allowing the un- 
impeded passage of data from the first host to other hosts not in the record (column 5, 
lines 51-54). 

The combination does not discloses determining the value of parameter ("slack") based 
upon a number of successive time periods that pass when no new requests are made to 
send data from the first host to hosts not in the record; and slack exceeds a 
predetermined value. 

Ramanujan does disclose determining the value of parameter ("slack") based upon a 
number of successive time periods that pass when no new requests are made to send 
data from the first host to hosts not in the record (column 2- lines 37-44, the refusal 
counter holds the variable of mslack); and slack exceeds a predetermined value 
(column 2- lines 44-48). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination by determining a variable based 
upon the number of successive attempts that are made to perform an action as taught 
by Ramanujan for the benefit of being able to generate a response to a predetermined 
condition such as locking resources of a computer or allowing further network access. 
Ramanujan discloses incrementing a counter for successive refused attempts to access 
a network resource. Once the counter reaches a predetermined value, the resource is 
locked. It would have been obvious to use the same counter in the combination to 
determine when to allow the unimpeded access to the network. 
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Considering Claim 11, the combination discloses slack is determined based 
upon the number of successive time periods for which the buffer is empty (Ramanujan- 
column 10- lines 10-24). 

Considering Claim 13, the combination discloses the value of slack is 
decremented each time an un-impeded passage of data from the first host to a host not 
in the record is allowed (Ramanujan - column 10- lines 39-50, as the lock queue goes 
from empty to inhabitated the counter is incremented and decremented to determine 
whether to lock the resource. In the combination, this would cause the variable to be 
decremented each time data not in the record is allowed passage.) 

Considering Claim 24-27, are rejected for the same reasons as Claim 10-13 
above. It would have been obvious to one of ordinary skill in the art at the time of the 
invention to perform the same tasks using a multiple recipient email. 
4. Claims 19, 22 are rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Andersen, Shipp, and Adolph in view of Cunningham et al. (EP 0 986 229). 
Cunningham et al. (EP 0 986 229) was submitted in the IDS filed on 5/27/2004. 

Considering Claims 19 and 22, the combination does not explicitly disclose at 
least one parameter is varied as a function of the time of day. 
Cunningham does explicitly disclose at least one parameter is varied as a function of 
the time of day (column 5- lines 33-37). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination by having a parameter that is 
varied as a function of time as taught by Cunningham for the benefit of using 
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parameters in the rule base that are familiar to the users (Cunningham- column 5- lines 
33-37). 

5. Claims 36, 37, 39, and 40 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Andersen, Shipp, and Adolph in view of Anderson (US 
2002/0013858), hereafter "858." 

Considering Claim 36 and 39, the combination does not explicitly disclose 
packets having a designated destination IP address are stored. 
858 does explicitly disclose packets having a designated destination IP address are 
stored ([0046]). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination by storing designated IP 
addresses for the benefit of being able to isolate certain addresses for future use. 

Considering Claim 37 and 40, the combination does not explicitly disclose the 
step of establishing the predetermined IP address from the stored socket data. 
It would have been obvious to one of ordinary skill in the art at the time of the invention 
to use the socket data to determine the IP address to be stored. 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the combination to establish the IP address from 
the stored socket data to use data that is relevant to the network flow to store future 
packets. 
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Response to Arguments 

Applicant's arguments filed 4/21/2009 have been fully considered but they are 
not persuasive. 

Regarding Claims 1, 29, and 43, applicant's arguments have been fully 
considered but are not persuasive. With respect to applicant's argument that the 
combination fails to teach "storing in a buffer data relating to requests which identify a 
destination host not in the record," the test for obviousness is not whether the features 
of a secondary reference may be bodily incorporated into the structure of the primary 
reference; nor is it that the claimed invention must be expressly suggested in any one or 
all of the references. Rather, the test is what the combined teachings of the references 
would have suggested to those of ordinary skill in the art. See In re Keller, 642 F.2d 
413, 208 USPQ 871 (CCPA 1981). 

With respect to applicant's argument that the combination fails to teach 

"establishing a record which is at least indicative of identities of destination hosts within 

the network to whom data has been sent by the first host," applicant is directed to 

Adolph- column 1, lines 40-64. Adolph discloses: 

"a method to record and store a route carried out for the first time with a facility 
installed in the subject vehicle. When making a new trip along the same route, 
this recorded information can be reused. This method is intended to simplify the 
requirements, described in DE 35 12 127 Ai, of comparing the current location of 
the vehicle with stored geographical data for a route which is already known to 
the subject vehicle. DE 41 05 180 Ai describes an autonomous road guiding 
system for motor vehicles which contains a device to record the course of a street 
actually taken and stores the data in a storage unit. Impulses along the route are 
detected automatically, whereas changes of direction are entered by hand via the 
push-buttons of the device or via the direction indicator of the vehicle. The 
storage unit thus programmed can be taken out of the device and given to a third 
party thus making it possible for the third party to drive along an unknown route 
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with the help of the storage unit. One of the problems of this autonomous road 
guiding system, among others, is that only quite specific road topologies can be 
saved and updates are not carried out. Thus neither changes in the road topology 
nor unexpected events between the programming of the storage unit and the trip 
of the third party are taken into account. Additional problems are encountered in 
the "calibration" of the geographical data." 

Adolph teaches establishing a record which is at least indicative of destination hosts 
(i.e. known routes) within the network to whom data has been sent by the first host (the 
network is disclosed within Andersen and Shipp). 

In response to applicant's argument that Adolph is nonanalogous art, it has been 
held that a prior art reference must either be in the field of applicant's endeavor or, if 
not, then be reasonably pertinent to the particular problem with which the applicant was 
concerned, in order to be relied upon as a basis for rejection of the claimed invention. 
See In re Oetiker, 977 F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992). In this case, 
Adolph is pertinent to the particular problem being solved in that it uses previous routes 
traveled to aid in further trips along the same route by storing previous routes and 
destinations traveled. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
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mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Randal D. Moran whose telephone number is 571-270- 
1255. The examiner can normally be reached on M-F: 7:00 - 4:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Examiner, Art Unit 2435 
8/13/2009 

/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2435 



